Dedecms
by Dedecms
Source repositories
CVEs (169)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-16786 | Med | 0.40 | 6.1 | 0.01 | Sep 21, 2018 | DedeCMS 5.7 SP2 allows XSS via an onhashchange attribute in the msg parameter to /plus/feedback_ajax.php. | ||
| CVE-2025-6335 | Med | 0.31 | 4.7 | 0.07 | Jun 20, 2025 | A vulnerability was found in DedeCMS up to 5.7.2 and classified as critical. This issue affects some unknown processing of the file /include/dedetag.class.php of the component Template Handler. The manipulation of the argument notes leads to command injection. The attack may be… | ||
| CVE-2023-3578 | 0.06 | — | 0.03 | Jul 10, 2023 | A vulnerability classified as critical was found in DedeCMS 5.7.109. Affected by this vulnerability is an unknown functionality of the file co_do.php. The manipulation of the argument rssurl leads to server-side request forgery. The exploit has been disclosed to the public and… | |||
| CVE-2015-4553 | 0.06 | — | 0.57 | Jan 6, 2020 | A file upload issue exists in DeDeCMS before 5.7-sp1, which allows malicious users getshell. | |||
| CVE-2018-20129 | 0.06 | — | 0.08 | Dec 13, 2018 | An issue was discovered in DedeCMS V5.7 SP2. uploads/include/dialog/select_images_post.php allows remote attackers to upload and execute arbitrary PHP code via a double extension and a modified ".php" substring, in conjunction with the image/jpeg content type, as demonstrated by… | |||
| CVE-2023-2928 | 0.05 | — | 0.51 | May 27, 2023 | A vulnerability was found in DedeCMS up to 5.7.106. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file uploads/dede/article_allowurl_edit.php. The manipulation of the argument allurls leads to code injection. The attack can… | |||
| CVE-2020-27533 | 0.03 | — | 0.03 | Oct 22, 2020 | A Cross Site Scripting (XSS) issue was discovered in the search feature of DedeCMS v.5.8 that allows malicious users to inject code into web pages, and other users will be affected when viewing web pages. | |||
| CVE-2011-5200 | 0.03 | — | 0.02 | Sep 23, 2012 | Multiple SQL injection vulnerabilities in DeDeCMS, possibly 5.6, allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) list.php, (2) members.php, or (3) book.php. | |||
| CVE-2009-3806 | 0.03 | — | 0.03 | Oct 27, 2009 | SQL injection vulnerability in feedback_js.php in DedeCMS 5.1 allows remote attackers to execute arbitrary SQL commands via the arcurl parameter. | |||
| CVE-2024-57241 | 0.02 | — | 0.01 | Feb 11, 2025 | Dedecms 5.71sp1 and earlier is vulnerable to URL redirect. In the web application, a logic error does not judge the input GET request resulting in URL redirection. | |||
| CVE-2019-8933 | 0.02 | — | 0.03 | Feb 19, 2019 | In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template… | |||
| CVE-2023-36298 | 0.01 | — | 0.01 | Aug 3, 2023 | DedeCMS v5.7.109 has a File Upload vulnerability, leading to remote code execution (RCE). | |||
| CVE-2022-35516 | 0.01 | — | 0.02 | Aug 17, 2022 | DedeCMS v5.7.93 - v5.7.96 was discovered to contain a remote code execution vulnerability in login.php. | |||
| CVE-2022-34531 | 0.01 | — | 0.23 | Jul 29, 2022 | DedeCMS v5.7.95 was discovered to contain a remote code execution (RCE) vulnerability via the component mytag_ main.php. | |||
| CVE-2022-23337 | 0.01 | — | 0.02 | Feb 14, 2022 | DedeCMS v5.7.87 was discovered to contain a SQL injection vulnerability in article_coonepage_rule.php via the ids parameter. | |||
| CVE-2018-18608 | 0.01 | — | 0.03 | Oct 23, 2018 | DedeCMS 5.7 SP2 allows XSS via the function named GetPageList defined in the include/datalistcp.class.php file that is used to display the page numbers list at the bottom of some templates, as demonstrated by the PATH_INFO to /member/index.php, /member/pm.php,… | |||
| CVE-2026-29839 | 0.00 | — | 0.00 | Mar 24, 2026 | DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability in /sys_task_add.php. | |||
| CVE-2026-30694 | 0.00 | — | 0.01 | Mar 19, 2026 | An issue in DedeCMS v.5.7.118 and before allows a remote attacker to execute arbitrary code via the array_filter component | |||
| CVE-2024-30855 | 0.00 | — | 0.00 | Dec 29, 2025 | DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /src/dede/makehtml_list_action.php. | |||
| CVE-2025-5137 | 0.00 | — | 0.00 | May 25, 2025 | A vulnerability was found in DedeCMS 5.7.117. It has been classified as critical. Affected is an unknown function of the file dede/sys_verifies.php?action=getfiles of the component Incomplete Fix CVE-2018-9175. The manipulation of the argument refiles leads to code injection. It… |
- risk 0.40cvss 6.1epss 0.01
DedeCMS 5.7 SP2 allows XSS via an onhashchange attribute in the msg parameter to /plus/feedback_ajax.php.
- risk 0.31cvss 4.7epss 0.07
A vulnerability was found in DedeCMS up to 5.7.2 and classified as critical. This issue affects some unknown processing of the file /include/dedetag.class.php of the component Template Handler. The manipulation of the argument notes leads to command injection. The attack may be…
- CVE-2023-3578Jul 10, 2023risk 0.06cvss —epss 0.03
A vulnerability classified as critical was found in DedeCMS 5.7.109. Affected by this vulnerability is an unknown functionality of the file co_do.php. The manipulation of the argument rssurl leads to server-side request forgery. The exploit has been disclosed to the public and…
- CVE-2015-4553Jan 6, 2020risk 0.06cvss —epss 0.57
A file upload issue exists in DeDeCMS before 5.7-sp1, which allows malicious users getshell.
- CVE-2018-20129Dec 13, 2018risk 0.06cvss —epss 0.08
An issue was discovered in DedeCMS V5.7 SP2. uploads/include/dialog/select_images_post.php allows remote attackers to upload and execute arbitrary PHP code via a double extension and a modified ".php" substring, in conjunction with the image/jpeg content type, as demonstrated by…
- CVE-2023-2928May 27, 2023risk 0.05cvss —epss 0.51
A vulnerability was found in DedeCMS up to 5.7.106. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file uploads/dede/article_allowurl_edit.php. The manipulation of the argument allurls leads to code injection. The attack can…
- CVE-2020-27533Oct 22, 2020risk 0.03cvss —epss 0.03
A Cross Site Scripting (XSS) issue was discovered in the search feature of DedeCMS v.5.8 that allows malicious users to inject code into web pages, and other users will be affected when viewing web pages.
- CVE-2011-5200Sep 23, 2012risk 0.03cvss —epss 0.02
Multiple SQL injection vulnerabilities in DeDeCMS, possibly 5.6, allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) list.php, (2) members.php, or (3) book.php.
- CVE-2009-3806Oct 27, 2009risk 0.03cvss —epss 0.03
SQL injection vulnerability in feedback_js.php in DedeCMS 5.1 allows remote attackers to execute arbitrary SQL commands via the arcurl parameter.
- CVE-2024-57241Feb 11, 2025risk 0.02cvss —epss 0.01
Dedecms 5.71sp1 and earlier is vulnerable to URL redirect. In the web application, a logic error does not judge the input GET request resulting in URL redirection.
- CVE-2019-8933Feb 19, 2019risk 0.02cvss —epss 0.03
In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template…
- CVE-2023-36298Aug 3, 2023risk 0.01cvss —epss 0.01
DedeCMS v5.7.109 has a File Upload vulnerability, leading to remote code execution (RCE).
- CVE-2022-35516Aug 17, 2022risk 0.01cvss —epss 0.02
DedeCMS v5.7.93 - v5.7.96 was discovered to contain a remote code execution vulnerability in login.php.
- CVE-2022-34531Jul 29, 2022risk 0.01cvss —epss 0.23
DedeCMS v5.7.95 was discovered to contain a remote code execution (RCE) vulnerability via the component mytag_ main.php.
- CVE-2022-23337Feb 14, 2022risk 0.01cvss —epss 0.02
DedeCMS v5.7.87 was discovered to contain a SQL injection vulnerability in article_coonepage_rule.php via the ids parameter.
- CVE-2018-18608Oct 23, 2018risk 0.01cvss —epss 0.03
DedeCMS 5.7 SP2 allows XSS via the function named GetPageList defined in the include/datalistcp.class.php file that is used to display the page numbers list at the bottom of some templates, as demonstrated by the PATH_INFO to /member/index.php, /member/pm.php,…
- CVE-2026-29839Mar 24, 2026risk 0.00cvss —epss 0.00
DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability in /sys_task_add.php.
- CVE-2026-30694Mar 19, 2026risk 0.00cvss —epss 0.01
An issue in DedeCMS v.5.7.118 and before allows a remote attacker to execute arbitrary code via the array_filter component
- CVE-2024-30855Dec 29, 2025risk 0.00cvss —epss 0.00
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /src/dede/makehtml_list_action.php.
- CVE-2025-5137May 25, 2025risk 0.00cvss —epss 0.00
A vulnerability was found in DedeCMS 5.7.117. It has been classified as critical. Affected is an unknown function of the file dede/sys_verifies.php?action=getfiles of the component Incomplete Fix CVE-2018-9175. The manipulation of the argument refiles leads to code injection. It…
Page 2 of 9